openmpi/opal/mca/sec/sec.h

/*
 * Copyright (c) 2014      Intel, Inc. All rights reserved.
 * $COPYRIGHT$
 * 
 * Additional copyrights may follow
 * 
 * $HEADER$
 */
/** @file:
 *
 * The Security Framework
 *
 */

#ifndef OPAL_SEC_H
#define OPAL_SEC_H

#include "opal_config.h"
#include "opal/types.h"

#include "opal/mca/mca.h"
#include "opal/dss/dss_types.h"


/* The security framework is a single-select one - i.e.,
 * only one plugin is active at any time, though multiple
 * plugins may build. When init is called, each plugin that
 * built should check to see if it can connect to its
 * respective server - if it can, then it should return
 * success to indicate it is ready to be used.
 *
 * For scalability, it is important that each process only
 * contact the security server once, and only when requested
 * to do so. Thus, the plugin should not get credentials for
 * the process until the first call to "get_my_credentials",
 * and should then cache the results for future use.
 */

BEGIN_C_DECLS

typedef struct {
    char *credential;
    size_t size;
} opal_sec_cred_t;

/*
 * Initialize the module
 */
typedef int (*opal_sec_base_module_init_fn_t)(void);

/*
 * Finalize the module
 */
typedef void (*opal_sec_base_module_finalize_fn_t)(void);

/*
 * Get a security credential for this process - return pointer to
 * a "credential" that I can use for authenticating myself to another process.
 * The value must be returned in a network-byte-ordered form suitable
 * for sending across the network.
 *
 * It isn't expected that the identifier will be used to obtain a
 * certificate as external security systems will have no idea what
 * it means. However, some modules may use it, and there is no way
 * for the opal layer to know a process identifier without being told,
 * so provide it here
 *
 * Likewise, the security framework isn't going to house its own datastore
 * handle, and some modules may want to check to see if a credential
 * was stored in the data store, so provide a means for passing in the
 * handle where such data might be stored
 *
 * Function returns OPAL_SUCCESS if a credential was assigned, or an error
 * code indicating why it failed
 */
typedef int (*opal_sec_base_module_get_my_cred_fn_t)(int dstorehandle,
                                                     opal_identifier_t *my_id,
                                                     opal_sec_cred_t **cred);

/*
 * Authenticate a security credential - given a security credential,
 * determine if the credential is valid. The credential is passed in
 * a network-byte-ordered form as it came across the network.
 *
 * Function returns OPAL_SUCCESS if the token is authenticated, or an
 * error code indicating why it failed
 */
typedef int (*opal_sec_base_module_auth_fn_t)(opal_sec_cred_t *cred);

/*
 * the standard module data structure
 */
struct opal_sec_base_module_1_0_0_t {
    opal_sec_base_module_init_fn_t          init;
    opal_sec_base_module_finalize_fn_t      finalize;
    opal_sec_base_module_get_my_cred_fn_t   get_my_credential;
    opal_sec_base_module_auth_fn_t          authenticate;
};
typedef struct opal_sec_base_module_1_0_0_t opal_sec_base_module_1_0_0_t;
typedef struct opal_sec_base_module_1_0_0_t opal_sec_base_module_t;

/*
 * the standard component data structure
 */
struct opal_sec_base_component_1_0_0_t {
    mca_base_component_t base_version;
    mca_base_component_data_t base_data;
};
typedef struct opal_sec_base_component_1_0_0_t opal_sec_base_component_1_0_0_t;
typedef struct opal_sec_base_component_1_0_0_t opal_sec_base_component_t;

/*
 * Macro for use in components that are of type sec
 */
#define OPAL_SEC_BASE_VERSION_1_0_0 \
  MCA_BASE_VERSION_2_0_0, \
  "sec", 1, 0, 0

/* Global structure for accessing SEC functions */
OPAL_DECLSPEC extern opal_sec_base_module_t opal_sec;  /* holds base function pointers */

END_C_DECLS

#endif